Pages

8 August 2024

Let’s start treating cyber security like it matters

Bruce Schneier and Tarah Wheeler

When an airplane crashes, impartial investigatory bodies leap into action, empowered by law to unearth what happened and why. But there is no such body to investigate CrowdStrike’s faulty update that recently ensnarled banks, airlines, and emergency services to the tune of billions of dollars. We need one.

To be sure, there is the White House’s Cyber Safety Review Board. On March 20, the CSRB released a report into last summer’s intrusion by a Chinese hacking group into Microsoft’s cloud environment, where it compromised the U.S. Department of Commerce, State Department, congressional offices, and several associated companies. But the board’s report—well-researched and containing some good and actionable recommendations—shows how it suffers from its lack of subpoena power and its political unwillingness to generalize from specific incidents to the broader industry.

Some background: The CSRB was established in 2021, by executive order, to provide an independent analysis and assessment of significant cyberattacks against the United States. The goal was to pierce the corporate confidentiality that often surrounds such attacks and to provide the entire security community with lessons and recommendations. The more we all know about what happened, the better we can all do next time. It's the same thinking that led to the formation of the National Transportation Safety Board, but for cyberattacks and not plane crashes.

No comments:

Post a Comment